A Risk Assessment Framework for Cloud Computing

Cloud service providers offer access to their resources through formal service level agreements (SLA), and need well-balanced infrastructures so that they can maximise the quality of service (QoS) they offer and minimise the number of SLA violations. This paper focuses on a specific aspect of risk assessment as applied in cloud computing: methods within a framework that can be used by cloud service providers and service consumers to assess risk during service deployment and operation. It describes the various stages in the service lifecycle whereas risk assessment takes place, and the corresponding risk models that have been designed and implemented. The impact of risk on architectural components, with special emphasis on holistic management support at service operation, is also described. The risk assessor is shown to be effective through the experimental evaluation of the implementation, and is already integrated in a cloud computing toolkit

Formulating Methodology to Build a Trust Framework for Cloud Identity Management

The vital element in outsourcing data to the cloud is trust and trustworthiness that information is protected, unaltered and available on demand. To facilitate service expectations efficient and effective infra-structures are required to host the functional processes. A security process is identity management that provides authorization for access rights based on verification checks. In this paper cloud security architecture is reviewed by focusing on the issue of trust and the role of identity management design. Methodology is built to produce cloud artefacts and then it is theoretically applied to produce an innovative solution to assess cloud identity providers (CIdP). A design solution lays out an information security architecture that enhances utility for CIdPs and gives better options for users to make trust decisions in the cloud. The contribution of the research is to provide a generic methodology that may be applied to evaluate other security artefacts for the cloud environment

Security risk assessment in cloud computing domains

Cyber security is one of the primary concerns persistent across any computing platform. While addressing the apprehensions about security risks, an infinite amount of resources cannot be invested in mitigation measures since organizations operate under budgetary constraints. Therefore the task of performing security risk assessment is imperative to designing optimal mitigation measures, as it provides insight about the strengths and weaknesses of different assets affiliated to a computing platform. The objective of the research presented in this dissertation is to improve upon existing risk assessment frameworks and guidelines associated to different key assets of Cloud computing domains - infrastructure, applications, and users. The dissertation presents various informal approaches of performing security risk assessment which will help to identify the security risks confronted by the aforementioned assets, and utilize the results to carry out the required cost-benefit tradeoff analyses. This will be beneficial to organizations by aiding them in better comprehending the security risks their assets are exposed to and thereafter secure them by designing cost-optimal mitigation measures --Abstract, page iv

A Brokering Framework for Assessing Legal Risks in Big Data and the Cloud

“Cloud computing” and “Big Data” are amongst the most hyped-up terms and buzzwords of the moment. After decades in which individuals and companies used to host their data and applications using their own IT infrastructure, the world has seen the stunning transformation of the Internet. Major shifts occurred when these infrastructures began to be outsourced to public Cloud providers to match commercial expectations. Storing, sharing and transferring data and databases over the Internet is convenient, yet legal risks cannot be eliminated. Legal risk is a fast-growing area of research and covers various aspects of law. Current studies and research on Cloud computing legal risk assessment have been, however, limited in scope and focused mainly on security and privacy aspects. There is little systematic research on the risks, threats and impact of the legal issues inherent to database rights and “ownership” rights of data. Database rights seem to be outdated and there is a significant gap in the scientific literature when it comes to the understanding of how to apply its provisions in the Big Data era. This means that we need a whole new framework for understanding, protecting and sharing data in the Cloud. The scheme we propose in this chapter is based on a risk assessment-brokering framework that works side by side with Service Level Agreements (SLAs). This proposed framework will provide better control for Cloud users and will go a long way to increase confidence and reinforce trust in Cloud computing transactions

Risk assessment in service provider communities

On-line service delivery undertaken between clients and service providers often incurs risks for both the client and the provider, especially when such an exchange takes place in the context of an electronic service market. For the client, the risk involves determining whether the requested service will be delivered on time and based on the previously agreed Service Level Agreement (SLA). Often risk to the client can be mitigated through the use of a penalty clause in an SLA. For the provider, the risk revolves around ensuring that the client will pay the advertised price and more importantly whether the provider will be able to deliver the advertised service to not incur the penalty identified in the SLA. This becomes more significant when the service providers outsource the actual enactment/execution to a data centre–a trend that has become dominant in recent years, with the emergence of infrastructure providers such as Amazon. In this work we investigate the notion of “risk” from a variety of different perspectives and demonstrate how risk to a service owner (who uses an external, third party data centre for service hosting) can be managed more effectively. A simulation based approach is used to validate our findings

An Integrated Framework for the Methodological Assurance of Security and Privacy in the Development and Operation of MultiCloud Applications

x, 169 p.This Thesis studies research questions about how to design multiCloud applications taking into account security and privacy requirements to protect the system from potential risks and about how to decide which security and privacy protections to include in the system. In addition, solutions are needed to overcome the difficulties in assuring security and privacy properties defined at design time still hold all along the system life-cycle, from development to operation.In this Thesis an innovative DevOps integrated methodology and framework are presented, which help to rationalise and systematise security and privacy analyses in multiCloud to enable an informed decision-process for risk-cost balanced selection of the protections of the system components and the protections to request from Cloud Service Providers used. The focus of the work is on the Development phase of the analysis and creation of multiCloud applications.The main contributions of this Thesis for multiCloud applications are four: i) The integrated DevOps methodology for security and privacy assurance; and its integrating parts: ii) a security and privacy requirements modelling language, iii) a continuous risk assessment methodology and its complementary risk-based optimisation of defences, and iv) a Security and Privacy Service Level AgreementComposition method.The integrated DevOps methodology and its integrating Development methods have been validated in the case study of a real multiCloud application in the eHealth domain. The validation confirmed the feasibility and benefits of the solution with regards to the rationalisation and systematisation of security and privacy assurance in multiCloud systems

Cloud outsourcing:Theoretical & practical evidence of cloud governance strategies by financial institutions in Europe, the United States and Canada

This study examined the risk and governance challenges experienced by financial institutions that outsource cloud technologies. Cloud outsourcing prompts a new way of working and fosters an environment in which technology and data are shared across groups and are housed in regional hubs, according to global standards that are influenced by various countries’ policies. Therefore, to effectively manage the cloud, institutions need a thorough understanding of the applicable laws governing the cloud relationship and those that influence the internal control environment. The study explains that, conceptually, the framework nature of cloud contracts and flexibility of the regulation makes it especially difficult for institutions to efficiently manage risks. A real case study on a cloud outsourcing transaction and survey data from financial institution experts were used to study expert perceptions on the severity of various types of cloud risks and the effectiveness of institutional risk management approaches. These findings were also confirmed in a comparative institutional study, where similarities were found in the risk and governance concerns of experts working at 13 different institutions in the United States, Europe, and Canada. Through this investigation, it was found that efficient governance can be more difficult for institutions that comply with US regulations owing to considerable differences in state policies on data privacy. Finally, this study examined how uncertainties in the evaluation of data breaches and network failures become visible in other internal practices, such as cloud risk assessments. A series of cloud risk experiments was created and distributed to 131 cloud risk experts working at financial institutions in the EU and the US to compare whether their risk assessments would differ significantly. The results show that the lack of specification in the regulations and experience of cloud experts can contribute to considerable differences in their risk and disclosure choices. In practice, most experts face significant challenges in assessing the severity of cloud risk events, which have broader implications for enterprise risk management. The results suggest that internal governance continues to be a challenge for firms as they outsource cloud technologies. The knowledge derived from this Ph.D. is useful, as it shows that institutions can benefit if they prioritize the evaluation of liability provisions in their cloud contracts, especially in cases where cloud risk events are a consequence of third-party risks. The findings also establish that internal governance is necessary to reduce the spillover effects of cloud contracts and that institutions can devise sufficient governance structures by implementing data policies and mechanisms that promote cooperation and coordination to oversee data management responsibilities. _Dit onderzoek onderzocht de risico- en governance-uitdagingen van financiële instellingen die cloudtechnologieën uitbesteden. Het uitbesteden van de cloud leidt tot een nieuwe manier van werken en bevordert een omgeving waarin technologie en data worden gedeeld tussen groepen en worden ondergebracht in regionale hubs, volgens wereldwijde standaarden die worden beïnvloed door het beleid van verschillende landen. Om de cloud effectief te beheren, moeten instellingen daarom een grondig begrip hebben van de toepasselijke wetten die de cloudrelatie regelen en van de wetten die de interne controleomgeving beïnvloeden. In dit onderzoek wordt uitgelegd dat, conceptueel gezien, het kaderkarakter van cloudcontracten en de flexibiliteit van de regelgeving het bijzonder moeilijk maakt voor instellingen om hun risico's effectief te beheren. Een echte casus over een cloud outsourcing-transactie en enquêtegegevens van experts van financiële instellingen zijn gebruikt om de percepties van experts te bestuderen over de ernst van verschillende soorten cloudrisico's en de effectiviteit van institutionele risicomanagementbenaderingen. Deze bevindingen werden ook bevestigd in een vergelijkende institutionele studie, waar overeenkomsten werden gevonden in de zorgen rondom risico en governance van experts bij 13 verschillende instellingen in de Verenigde Staten, Europa en Canada. Uit dit onderzoek blijkt dat effectieve governance moeilijker kan zijn voor instellingen die de Amerikaanse regelgeving naleven vanwege de aanzienlijke verschillen in het beleid van de staten met betrekking tot dataprivacy. Tot slot wordt in dit onderzoek gekeken naar hoe onzekerheden in de evaluatie van datalekken en netwerkstoringen zichtbaar worden in andere interne praktijken zoals cloudrisicobeoordelingen. Er is een reeks experimenten met cloudrisico's gemaakt en verspreid onder 131 deskundigen op het gebied van cloudrisico's die werkzaam zijn bij financiële instellingen in de EU en de VS om te vergelijken of hun risicobeoordelingen significant zouden verschillen. De resultaten laten zien dat het gebrek aan specificatie in de regelgeving en de ervaring van cloudexperts kan bijdragen aan aanzienlijke verschillen in risico- en openbaarmakingskeuzes. In de praktijk krijgen de meeste experts te maken met aanzienlijke uitdagingen bij het inschatten van de ernst van cloudrisicogebeurtenissen, die bredere implicaties hebben voor het risicomanagement van bedrijven. De resultaten suggereren dat interne governance een uitdaging blijft voor bedrijven die cloudtechnologieën uitbesteden. De bevindingen van dit proefschrift zijn nuttig, omdat ze laten zien dat instellingen er baat bij kunnen hebben als ze prioriteit geven aan de evaluatie van aansprakelijkheidsbepalingen in hun cloudcontracten, vooral in gevallen waarin cloudrisico's het gevolg zijn van risico's van derden. De bevindingen tonen ook aan dat interne governance nodig is om de overloopeffecten van cloudcontracten te verminderen en dat instellingen toereikende governancestructuren kunnen ontwikkelen door databeleid en -mechanismen te implementeren die samenwerking en coördinatie bevorderen om toezicht te houden op de verantwoordelijkheden voor databeheer

Security in Cloud Computing: Evaluation and Integration

Au cours de la dernière décennie, le paradigme du Cloud Computing a révolutionné la manière dont nous percevons les services de la Technologie de l’Information (TI). Celui-ci nous a donné l’opportunité de répondre à la demande constamment croissante liée aux besoins informatiques des usagers en introduisant la notion d’externalisation des services et des données. Les consommateurs du Cloud ont généralement accès, sur demande, à un large éventail bien réparti d’infrastructures de TI offrant une pléthore de services. Ils sont à même de configurer dynamiquement les ressources du Cloud en fonction des exigences de leurs applications, sans toutefois devenir partie intégrante de l’infrastructure du Cloud. Cela leur permet d’atteindre un degré optimal d’utilisation des ressources tout en réduisant leurs coûts d’investissement en TI. Toutefois, la migration des services au Cloud intensifie malgré elle les menaces existantes à la sécurité des TI et en crée de nouvelles qui sont intrinsèques à l’architecture du Cloud Computing. C’est pourquoi il existe un réel besoin d’évaluation des risques liés à la sécurité du Cloud durant le procédé de la sélection et du déploiement des services. Au cours des dernières années, l’impact d’une efficace gestion de la satisfaction des besoins en sécurité des services a été pris avec un sérieux croissant de la part des fournisseurs et des consommateurs. Toutefois, l’intégration réussie de l’élément de sécurité dans les opérations de la gestion des ressources du Cloud ne requiert pas seulement une recherche méthodique, mais aussi une modélisation méticuleuse des exigences du Cloud en termes de sécurité. C’est en considérant ces facteurs que nous adressons dans cette thèse les défis liés à l’évaluation de la sécurité et à son intégration dans les environnements indépendants et interconnectés du Cloud Computing. D’une part, nous sommes motivés à offrir aux consommateurs du Cloud un ensemble de méthodes qui leur permettront d’optimiser la sécurité de leurs services et, d’autre part, nous offrons aux fournisseurs un éventail de stratégies qui leur permettront de mieux sécuriser leurs services d’hébergements du Cloud. L’originalité de cette thèse porte sur deux aspects : 1) la description innovatrice des exigences des applications du Cloud relativement à la sécurité ; et 2) la conception de modèles mathématiques rigoureux qui intègrent le facteur de sécurité dans les problèmes traditionnels du déploiement des applications, d’approvisionnement des ressources et de la gestion de la charge de travail au coeur des infrastructures actuelles du Cloud Computing. Le travail au sein de cette thèse est réalisé en trois phases.----------ABSTRACT: Over the past decade, the Cloud Computing paradigm has revolutionized the way we envision IT services. It has provided an opportunity to respond to the ever increasing computing needs of the users by introducing the notion of service and data outsourcing. Cloud consumers usually have online and on-demand access to a large and distributed IT infrastructure providing a plethora of services. They can dynamically configure and scale the Cloud resources according to the requirements of their applications without becoming part of the Cloud infrastructure, which allows them to reduce their IT investment cost and achieve optimal resource utilization. However, the migration of services to the Cloud increases the vulnerability to existing IT security threats and creates new ones that are intrinsic to the Cloud Computing architecture, thus the need for a thorough assessment of Cloud security risks during the process of service selection and deployment. Recently, the impact of effective management of service security satisfaction has been taken with greater seriousness by the Cloud Service Providers (CSP) and stakeholders. Nevertheless, the successful integration of the security element into the Cloud resource management operations does not only require methodical research, but also necessitates the meticulous modeling of the Cloud security requirements. To this end, we address throughout this thesis the challenges to security evaluation and integration in independent and interconnected Cloud Computing environments. We are interested in providing the Cloud consumers with a set of methods that allow them to optimize the security of their services and the CSPs with a set of strategies that enable them to provide security-aware Cloud-based service hosting. The originality of this thesis lies within two aspects: 1) the innovative description of the Cloud applications’ security requirements, which paved the way for an effective quantification and evaluation of the security of Cloud infrastructures; and 2) the design of rigorous mathematical models that integrate the security factor into the traditional problems of application deployment, resource provisioning, and workload management within current Cloud Computing infrastructures. The work in this thesis is carried out in three phases